-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-045 Product: Secure File Sharing Vendor: Serv-U Affected Version(s): Serv-U 15.1.2.189 Tested Version(s): Serv-U 15.1.2.189 Vulnerability Type: Insufficient Verification of Data Authenticity (CWE-345) Risk Level: Medium Solution Status: Fixed Vendor Notification: 2015-07-23 Solution Date: 2015-11-04 Public Disclosure: 2015-11-09 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: An email spoofing vulnerability could be identified in the Serv-U Secure File Sharing application. The Serv-U Secure File Sharing is described as follows [1]: "Secure file sharing lets users send files to and request files from anyone. When deployed in your data center, Serv-U Managed File Transfer Server provides this popular “ad hoc” file transfer service to your end-users on your existing infrastructure, and under the control of your existing security policy." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The application allows to enter arbitrary email addresses, subjects and comments for upload and download request which are sent via email. An authenticated user of the application can therefore send invitations from arbitrary email adresses using arbitrary subjects. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Use an arbitrary sender email address like CEO@company.com, choose your prefered subject and add your comment which will become part of the resulting email. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by Serv-U, a HotFix for the described security issue is available at [2]. Please contact the manufacturer for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-07-06: Vulnerability discovered 2015-07-23: Vulnerability reported to vendor 2015-07-30: Reported vulnerabilities again as the vendor did not respond to the first e-mail 2015-08-31: Reported vulnerabilities again as the vendor did not respond to the first e-mails 2015-09-16: Rescheduling of the publication date in agreement with the manufacturer. 2015-11-09: Public release of security advisory on agreed publication date ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Serv-U, Secure File Sharing http://www.serv-u.com/secure-file-sharing [2] Serv-U, HotFix for Secure File Sharing http://downloads.solarwinds.com/solarwinds/Release/HotFix/SU-v15.1.2-HotFix2.zip [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Franz G. Jahn and Philipp Buchegger of the SySS GmbH. E-Mail: franz.jahn (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE E-Mail: philipp.buchegger (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Philipp_Buchegger.asc Key ID: 0xBB6747E8 Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWPMt3AAoJENWmFJbQahTezwUQAIRhKE5sqYa3QJ+DzkA3qQlV g+RVJu1R2JT/hoZ4wsLa+vMsCqQaE5ZoJWnlg4cZtOvhjQWJ5qd+BBz4j5EYAepN FkDDD7RAAFDfzl215kSP0ju6ZmxJ8AjtwbczYLCqn+hRwUDBIQ2iR31YY8Fm14bc f+nJWE0eKwYkt8ZyjmldSjr0x1dE7kjqFNnvu8+neGM6+cLny9oAwAQVCXP0iadW /7uFoMJ/5iNcCGM1q2SkwQohlmJJsR70X9fs82VG1W1513Gkhzw8G56yofv67OJF vDvdXNi7x0SBwMD9L/IwVg7JBp57JU3jF4ZpJ3qB0QJcnJkeSMaF5KN4eZGDbLGa M9s2LZ9NrE9SbiMjZrEUAQdryXLdJWJ93t0Bh6BrVgRiwOKbGgfW8U7T4pn16GQk Hx8sKmSr/F8jXyJnG89TWe0pAlpsT24rj04HSCWXzJcZFlMEuw666W6Uu90QAziE ciaM+kQ8RriWOaXNdXqsyW9wc7QsNMqirE47upUYK7wqDNyvEzyObwWzu2hWVzK3 RylnTr5ZbFTaJowFaLafkVQlqVVk5sS+cFhWcVTe8vvA3SdxPXHckHQXOjygS0rf 7uPf0UlruzlOIKIAs1uGiORzTzSwvA3Qht29sShWpULsB4abFO92gS/WfoEBZnW5 I9a9a//CAafbkpg/wQ1I =pr0U -----END PGP SIGNATURE-----